Contents
API for sending alert information to external systems
Kaspersky Anti Targeted Attack Platform provides an API that lets external systems access information about all alerts of the program and not just to scan results for objects stored in these external systems.
In order to receive information only for alerts that satisfy certain conditions, you can specify filters in the request parameters.
The program does not automatically send information about new alerts based on prior requests. A new request must be sent to receive up-to-date information.
Special considerations for operation in the distributed solution
If the program operates in the distributed solution mode, an external system can complete the authorization procedure only on the SCN server. Authorization on the PCN server is not available.
In this case, an external system cannot receive information about all alerts registered in the infrastructure using a single request. This limitation arises because the common database which contains records about all alerts in the infrastructure is stored on the PCN server. To receive information about all alerts, the external system must query each SCN server separately.
Request to display alert information
To create a request to display information about Kaspersky Anti Targeted Attack Platform alerts, the HTTP GET method is used. You can create a request by using the cURL command-line utility, for example.
Command syntax
curl --cert <path to the TLS certificate file> --key <path to the private key file> -X GET "<URL of the server with the Central Node component>:<default port 443>/kata/scanner/v1/sensors/<sensorId>/detects?detect_type=<one or more technologies that were used to generate the alert>&limit=<number of alerts in the response to the request>&token=<request ID>"
If the request is processed successfully, you will see a list of alerts generated by Kaspersky Anti Targeted Attack Platform on the server of the external system.
Settings
Parameter |
Type |
Description |
|---|---|---|
|
String |
Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
|
Array |
Technology that was used to generate the alert. You can specify a comma-separated list of technologies. Possible values:
|
|
Integer |
Number of objects for which information is provided in response to the request. Allowed values: integers from 1 to 10,000. The default value is |
|
String |
Request ID. If this parameter is specified, a repeated request does not show alert information that was obtained by prior requests. This helps avoid the duplication of information about the same alerts in case of repeated requests. If this parameter is not specified, information about all alerts is provided. |
Returned value
Return code |
Description |
|---|---|
|
Operation completed successfully. |
|
Incorrect parameters. |
|
Number of requests exceeded. |
|
Authorization required. |
|
Internal server error. Repeat the request later. |
Example of entering a command with switches
|
Scope of transmitted data
Information that is transmitted for each alert is listed in the following table.
Scope of transmitted alert data
Parameter |
Value |
Description |
|---|---|---|
|
Integer value. |
Alert ID. |
|
Date and time. |
Event time. |
|
Date and time. |
Time when alert information was recorded in the Kaspersky Anti Targeted Attack Platform database. |
|
One of the following values:
|
Alert importance. |
|
One of the following values:
|
Source of the detected object. |
|
One of the following values:
|
Technology that was used to detect the object. |
|
One of the following values:
|
Type of detected object. |
|
Depends on the type of detected object. |
|
|
Depends on the technology that was used to detect the object. |
|
|
Depends on the source of detected object. |
Data on detected objects
The scope of transmitted data on detected objects depending on the type of the object is listed in the following table.
Data on detected objects
|
Parameter |
Data type |
Description |
Example |
|---|---|---|---|---|
|
|
MD5 |
MD5 hash of the file or composite object that was sent for scanning. |
|
|
SHA256 |
SHA256 hash of the file or composite object that was sent for scanning. |
|
|
|
String |
Name of the file or composite object that was sent for scanning. |
|
|
|
String |
Type of the file or composite object that was sent for scanning. |
|
|
|
Integer |
Size of the file or composite object that was sent for scanning, in bytes. |
|
|
|
MD5 |
MD5 hash of the file (simple object or file within a composite object) in which the threat was detected. |
|
|
|
String |
Name of the file (simple object or file within a composite object) in which the threat was detected. |
|
|
|
Integer |
Size of the file (simple object or file within a composite object) in which the threat was detected, in bytes. |
|
|
|
|
String |
URL of the detected object. |
|
|
|
Array |
List of domains to which detected objects belong.
|
|
Data on detected threats
The scope of transmitted data on detected threats depending on the technology that was used to generate the alert is listed in the table below.
Data on detected threats
Technology |
Parameter |
Description |
Data type |
Example |
|---|---|---|---|---|
One of the following technologies:
|
|
List of detected threats. |
Array |
|
|
Version of databases used to scan the file. |
Integer |
|
|
Sandbox |
|
List of detected threats. |
Array |
|
|
Name of the virtual machine image where the file was scanned. |
String |
|
|
|
Database version in the following format: |
Integer |
|
|
URL Reputation |
|
List of URL Reputation categories for the detected object (for objects of type |
Array |
|
Targeted Attack Analyzer |
|
Name of the TAA module alert. |
The only possible value is |
|
Data on the environment of detected objects
The scope of transmitted data on the environment of detected objects depending on the source of the object is listed in the following table.
Data on the environment of detected objects
Source of the object |
Parameter |
Description |
Data type |
Example |
|---|---|---|---|---|
|
|
IP address of the computer that established the connection. |
IP address |
|
|
Name of the computer that established the connection. |
String |
|
|
|
IP address of the computer with which the connection was established. |
IP address |
|
|
|
Port of the computer with which the connection was established. |
Integer |
|
|
|
URL of the web resource that was accessed. IDS technology alerts do not have this parameter. For URL technology alerts, this parameter has the same value as the |
String |
|
|
|
HTTP request method. |
String |
|
|
|
URL from which the redirect was made. |
String |
|
|
|
|
String |
|
|
|
|
Sender's email address. |
String |
|
|
Comma-separated list of recipient email addresses. |
Array |
|
|
|
Subject of the message. |
String |
|
|
|
Email message ID. |
String |
|
|
|
|
Name of the computer on which the alert was generated. |
String |
|
|
IP address of the computer on which the alert was generated. |
IP address |
|
|
|
|
IP address of the computer which initiated the DNS connection. |
IP address |
|
|
IP address of the computer with which the DNS connection was established (typically, a DNS server). |
IP address |
|
|
|
Port of the computer with which the DNS connection was established (typically, a DNS server). |
Integer |
|
|
|
Type of the DNS message:
|
String |
|
|
|
One of the following DNS request types:
|
String |
|
|
|
Domain name from the DNS request. |
String |
|